CVE-2019-19202

In Vtiger 7.x before 7.2.0, the My Preferences saving functionality allows a user without administrative privileges to change his own role by adding roleid=H2 to a POST request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
vtigervtiger_crm
7.0 ≤
𝑥
< 7.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html
https://code.vtiger.com/vtiger/vtigercrm/issues/1126
http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-April/037964.html
https://code.vtiger.com/vtiger/vtigercrm/issues/1126